Applied Login Security
page 3 of 6
by Tim Musschoot
Feedback
Average Rating: 
Views (Total / Last 10 Days): 30792/ 120

Security flaws

The most commonly used attack mechanism on a databases based login system is the so called “SQL insertion attack”.  Many login validation functions will validate the access through a query similar to the one below:

 


"SELECT COUNT(login)

FROM usertable

WHERE login = ‘” & login & “’ AND password = ‘” & password & “’”


Hereby, the login and password are the values as they are retrieved from the user input textboxes.  If the combination login/password is found in the database, the result will not be 0, and the user has access, otherwise, he has not.

 

I bet 70%-80% of the webdevelopers simply base there login system on a similar query.  The message to these developers is: WATCH OUT.  Your site is as secure as a safe with an open door !    Why?  As long as the user is a computer illiterate, you are safe.  However, less and less people are.  When you are dealing with a user with advanced computer knowledge, or someone with malicious intentions (both are not to be tangled up!), your login system is just a little annoyance.

 

Suppose a user trying to get in has not valid login/password, but wants access to your system.  He could use all possible combinations of usernames and passwords until he gets lucky.  This is called a “stupid hacker”.  The number of possible combinations is way to large to achieve a result in an acceptable amount of time.  This is not a very practical solution.

Suppose the user is smart.  Instead of the trial-and-error method, he has a more advanced approach.  Suppose he inserts this data in the login screen:

 

-         Login : ‘ OR 1=1 OR login=’

-         Password : ‘ OR 1=1 OR password=’

 

This would result in this query:

 


SELECT COUNT(login)

FROM usertable

WHERE login = ‘’ OR 1=1 OR login = ‘’ AND

password = ‘’ OR 1=1 OR password = ‘’

 

 

The result of this query is… the number of users in the database.  If the check only refuses access if the result is 0 (is no user is found), the user has access to the system.

 

This is an example of an “SQL Injection attack”.  The number of websites vulnerable to this type of attack is innumerable.  In this example, I used a query that provides access to the website.  However, the malicious user might as well delete information from the database, stop your database server, retrieve information from the database (login names, passwords, credit card details, …), create a new account without knowledge of the administrator, …  Not scared yet?  If the online system accesses your business software/database directly, he can mess up every data in your database.  For small companies without a very decent backup and recovery system, this can cause bankruptcy.  For better equipped companies, it can also harm there business (data between the last backup and the current moment can be lost).  This is under the assumption the problem is discovered immediately.  If the damage is not too visible to the company, it might well take weeks or months before it is discovered.  Think about these consequences for your company in case this happens.


View Entire Article

User Comments

Title: webbased login security   
Name: nikunj patel
Date: 2009-08-16 11:29:27 AM
Comment:
can u put the full information about the WEBBASED LOGIN SECURITY.....caz i want to really know abt all this tofic
Title: great   
Name: Shiv Kumar
Date: 2008-08-11 4:34:18 AM
Comment:
Really helpfull......
Title: help me   
Name: noha
Date: 2006-03-09 5:02:47 AM
Comment:
hi, i programmed and designed pages with ASP and used session for security but i have problem , the session disappear .
when send the session for multi pages the session become null.
Title: Excellent   
Name: Amit
Date: 2005-12-10 2:43:27 AM
Comment:
Another good one keep them coming
Title: good   
Name: john
Date: 2005-09-19 9:23:06 PM
Comment:
very helpful to the benginner
Title: Good Stuff   
Name: Nicholas
Date: 2005-06-27 3:20:55 AM
Comment:
Great Article! Keep writing
Title: security topics   
Name: srinivas
Date: 2005-05-01 1:53:45 AM
Comment:
Very good
Title: impressed   
Name: rudra
Date: 2004-06-18 4:02:13 PM
Comment:
hi tim,

i love your article, its great these u cannot find it in books . i am highly impressed with your article.
thanks keep writing these type of article. can u suggest a book on asp.net security.you can mail me at this address rudra_mah@rediffmail.com.
bye






Community Advice: ASP | SQL | XML | Regular Expressions | Windows


©Copyright 1998-2019 ASPAlliance.com  |  Page Processed at 2019-09-17 4:48:02 AM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search